Skip to content

Security Test: Directive overloading

Description

Directive Overloading occurs when a user can send a query with many consecutive directives and overload the engine handling those directives.

Remediation

Limit the number of directives allowed in a query. This should be handled by the GraphQL engine while parsing the document, otherwise this can lead to a heap overflow.

GraphQL Specific

Apollo Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our [GraphQL Armor](https://escape.tech/graphql-armor/docs/getting-started) middleware to limit the number of directives allowed in a query.
Awsappsync To mitigate the risk of directive overloading in AWS AppSync, ensure that your GraphQL schema is designed with clear and specific directives. Limit the number of directives that can be applied to a single field, and validate the schema to prevent conflicts. Implement authorization checks within your resolver logic to ensure that directives are not misused to access or modify data beyond the intended scope. Regularly review your schema and resolvers for potential overloading issues and update your security practices accordingly.
Graphqlgo In the context of the GraphQL Go framework, to prevent issues such as directive overloading, it is recommended to implement strict schema validation. Ensure that the GraphQL schema is defined with clear and specific directives, and use schema validation hooks provided by the framework to enforce constraints on directive usage. Additionally, consider using a linter or other static analysis tools to catch potential misuse of directives during the development process. Regularly review and update your schema and validation logic to keep up with evolving application requirements and security best practices.
Graphqlruby In the GraphQL Ruby framework, avoid directive overloading by ensuring that each directive is used for its intended purpose and is not overloaded with multiple meanings or functionalities. Define clear and concise directives, and if complex logic is required, consider implementing it within the resolver functions or using middleware. This approach helps maintain the clarity and maintainability of the GraphQL schema and prevents potential conflicts or unexpected behaviors in the API.
Hasura To prevent directive overloading in Hasura, ensure that custom directives are clearly defined and adhere to strict naming conventions to avoid conflicts with existing Hasura directives. Regularly review and update security policies to control access to directive definitions and apply schema validation to detect and mitigate any potential overloading attempts. Additionally, use role-based access control to limit who can modify the GraphQL schema and directives.
Agoo Implement rate limiting and validation checks to prevent excessive directive processing in the Agoo framework engine.
Ariadne Implement rate limiting and validation checks to prevent excessive directive processing in the Ariadne framework engine.
Caliban Implement rate limiting and validation checks to prevent excessive directive processing in the Caliban framework engine.
Dgraph Implement rate limiting and validation checks to prevent excessive consecutive directives in queries to the Dgraph engine.
Dianajl Implement rate limiting and validation checks to prevent excessive directive processing in the dianajl framework engine.
Directus Implement rate limiting and validation checks to prevent excessive directive processing in the Directus framework engine.
Flutter Implement rate limiting and input validation to prevent excessive directive processing in the Flutter framework engine.
Graphene Implement rate limiting and validation checks to prevent excessive directive processing in the Graphene framework engine.
Graphqlapiforwp Implement rate limiting and validation checks to prevent excessive directive usage in GraphQL queries within the graphqlapiforwp framework.
Graphqlgophergo Implement rate limiting and validation checks to prevent excessive directive usage in GraphQL queries.
Graphqljava Implement rate limiting and validation checks to prevent excessive directive usage in GraphQL queries.
Graphqlphp Implement rate limiting and validation to prevent excessive directive usage in GraphQL queries.
Graphqlyoga Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our [GraphQL Armor](https://escape.tech/graphql-armor/docs/getting-started) middleware to limit the number of directives allowed in a query.
Hypergraphql Implement rate limiting and validation checks to prevent excessive directive usage in HyperGraphQL queries.
Jaal Implement rate limiting and validation checks to prevent excessive directive processing in the Jaal framework engine.
Juniper Implement rate limiting and validation checks to prevent excessive directive processing in the Juniper framework engine.
Lacinia Implement rate limiting and validation checks to prevent excessive directive usage in Lacinia framework queries.
Lighthouse Implement rate limiting and validation checks to prevent excessive directive processing in the Lighthouse framework engine.
Mercurius Implement rate limiting and validation checks to prevent excessive directive usage in Mercurius framework queries.
Morpheusgraphql Implement rate limiting and validation checks to prevent excessive directive usage in MorpheusGraphQL queries.
Qglgen Implement rate limiting and validation checks to prevent excessive directive processing in the gqlgen framework engine.
Sangria Implement rate limiting and validation checks to prevent excessive directive usage in the Sangria framework engine.
Shopify Implement rate limiting and validation checks to prevent excessive directive processing in the Shopify framework engine.
Stepzen Implement rate limiting and validation checks to prevent excessive directive usage in StepZen queries.
Strawberry Implement rate limiting and validation checks to prevent excessive directive processing in the Strawberry framework engine.
Tartiflette Implement rate limiting and validation checks to prevent excessive directive usage in Tartiflette framework queries.
Wpgraphql Implement rate limiting and input validation to prevent excessive directive processing in the WPGraphQL framework.

Configuration

Identifier: resource_limitation/graphql_directive_overload

Options

  • threshold : Maximum number of directives allowed before raising an alert in the fast check.

Examples

Ignore this check

checks:
  resource_limitation/graphql_directive_overload:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API8:2023
  • OWASP LLM: LLM04:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-2

Classification

  • CWE: 400

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:R
  • CVSS_SCORE: 6.9